16 Dec
2010
16 Dec
'10
10:26 a.m.
Just to eliminate any further doubt of this being a rootkit:
On 16 December 2010 10:16, Adam Spiers <bitfolk(a)adamspiers.org> wrote:
and 'unhide proc' output:
Unhide 20080519
yjesus(a)security-projects.com
[*]Searching for Hidden processes through /proc scanning
Found HIDDEN PID: 28213
Command: -bash
This bash process which doesn't go away with a reboot.
lsof -p on the bash process reveals:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dropbear 1938 root cwd DIR 202,0 4096 2 /
dropbear 1938 root rtd DIR 202,0 4096 2 /
dropbear 1938 root txt REG 202,0 589672 346434 /usr/include/sslv3/dropbear
dropbear 1938 root 3u IPv6 4292 TCP *:44965 (LISTEN)
Also:
# dpkg -S /usr/include/sslv3/dropbear
dpkg: /usr/include/sslv3/dropbear not found.
# l /usr/include/sslv3/dropbear
-rwxr-xr-x 1 root root 576K 2010-12-16 02:24 /usr/include/sslv3/dropbear*
so the exploit starts up a trojaned dropbear sshd service on a high port
and masquerades it as a bash process. I would love to know how it gets
started up but I have to pack for Asia now :-(